7 Cybersecurity Risks for 2014

To help businesses best prepare for the year ahead, risk mitigation and response solutions firm Kroll has identified seven trends that indicate a changing tide in cyber standards. These changes will require organizations to take stronger actions and safeguards to protect against reputational, financial and legal risks.

"Most organizations have invested in preventative security technologies, but remain unprepared to launch an effective response to a leak or intrusion," said Tim Ryan, a Kroll managing director and Cyber Investigations practice leader. "Without the right tools and policies in place beforehand, they find themselves suddenly under intense pressure to investigate, track and analyze events."

Kroll predicts that the new cybersecurity issues for 2014 will include:

National Institute of Standards and Technology (NIST) and similar security frameworks will become the de facto standards of best practices for all companies: Cybersecurity strategies largely designed for companies that were part of the "critical infrastructure" will become more of an expectation for everyone, from conducting an effective risk assessment to implementing sound cybersecurity practices and platforms. Organizations that don't follow suit may find themselves subject to shareholder lawsuits, actions by regulators and other legal repercussions.

Alan Brill, senior managing director at Kroll, said this trend will move the United States in the direction of the EU, where there is a greater recognition of privacy as a right.

"As new laws evolve that reflect the NIST guidelines and look more like the EU privacy directive, some U.S. companies will find themselves ill-prepared to effectively respond to the regulations," Brill said. "To minimize their risk, organizations will have to get smart on these standards and make strategic business decisions that give clients and customers confidence that their information is protected."

The data supply chain will pose continuing challenges to even the most sophisticated enterprises: It is not unusual for companies to store or process the data they collect by using third parties. However, the security that these third parties use to safeguard their client's data is frequently not understood by businesses that hire them until there is a breach. Companies will need to vet their subcontractors closely and get specific as to the technical and legal roles and responsibilities of these subcontractors in the event of a breach.

"Companies should know who they are giving their data to and how it is being protected," Ryan said. "This requires technical, procedural and legal reviews."

The malicious insider remains a serious threat, but will become more visible: Whether it was Shakespeare's Caesar or America's Benedict Arnold, people have long known the pain of betrayal by those they trust. Information technology simply made the betrayer's job easier. In 2014, a significant number — if not almost half — of data breaches will come at the hands of people on the inside. However, as the federal government and individual states add muscle to privacy breach notification laws and enforcement regimes, these hidden insider attacks will become more widely known.

Ryan said the insider threat, which often goes unreported, is insidious and complex.

"Thwarting it requires collaboration by general counsel, information security and human resources," he said. "SEC breach disclosure of 'material losses' may be the model for rules requiring a company to be more transparent and answerable for allowing bad actors to go unpunished."

Corporate board audit committees will take a greater interest in cybersecurity risks and the organization's plans for addressing them: With more and more data breaches — from theft of trade secrets to loss of customer information — in the headlines, corporate audit committees are beginning to focus on the connection between cybersecurity and an organization's financial well-being. As such, these committees will expand their attention beyond the financial audit process to also include the organization's strategic plans for protecting non-public information. They will also look at risk-mitigation plans for responding to a possible breach.

"As corporate boards carry out their fiduciary responsibilities, they must also protect the company from possible shareholder lawsuits that allege the company's cybersecurity wasn't at a level that could be reasonably viewed to be 'commercially reasonable' and that incident response plans weren't in place to mitigate the risk," Brill said. "The challenge they face is determining what is a reasonable level of security and response, and who should make that call. Is it their IT team, an industry expert, an independent third party?"

Sophisticated tools will enable smart companies to quickly uncover data breach details and react faster: Company leaders realize that even the best firewalls and intrusion detection systems cannot stop all attacks. But technological progress that occurred over the last 12 months will enable companies to unravel events and see with near–real-time clarity what's happened to their data and how much damage has been done.

Most organizations have invested in preventative security technologies, but remain unprepared to launch an effective response to a leak or intrusion, Ryan said. Without the right tools and policies in place beforehand, they find themselves suddenly under intense pressure to investigate, track and analyze events.

"We've seen a dramatic improvement in response technology over the last year," Ryan said. "Companies have never had a better opportunity to enhance their existing protocols with a methodology that can mean an informed and timely response."

New standards related to breach remediation are gaining traction and will have a greater impact on corporate data breach response: Credit monitoring will no longer be the gold standard in breach remediation in 2014, as lawmakers, consumer advocates and the public at large continue to raise questions about the relevancy and thoroughness of this as a stand-alone solution. These parties will demand a more effective alternative. While no legal guidelines currently exist for consumer remediation, the FTC and states like California and Illinois are already offering guidance that suggests a risk-based approach to consumer remediation will be the way of the future.

"That's not to say that credit monitoring is useless, because it's a valuable tool when it aligns with the type of data exposed," Brill said. "Rather, companies will need to gain a better understanding of their actual breach risks, how the breach could actually affect their customers, and the best way to remedy those specific risks and provide better protection to the affected consumers."

As cloud and BYOD adoption continues to accelerate, implementing policies and managing technologies will require greater accountability: The development and evolution of cloud services and BYOD have moved at a whirlwind pace, leaving IT departments scrambling to get out in front of the technologies and employee usage. In 2014, IT leaders will need to work closely with senior leadership and legal counsel to adapt corporate policies in a way that addresses changing legal risks, while effectively meeting the needs of the organization.

Brill said that up until now, cloud and BYOD adoption has been like the Wild West — uncharted, unregulated and facing few restrictions.

"While it's implausible to anticipate every possible risk presented by the use of the cloud and BYOD, companies that have integrated these technologies into their corporate policies, IT security and risk-management plans will be much better prepared to fulfill their legal obligations," Brill said. "Organizations must realize that even if they don't want to deal with this, they're not going to have much choice."